CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016

Acknowledgement http://ilta.ebiz.uapps.net/ProductFiles/productfiles/672/wireshark.ppt UC Berkley course “EE 122: Intro to Communication Networks” http://www.eecs.berkeley.edu/~jortiz/courses/ee122/presentations/Wireshark.ppt Other resources: http://openmaniak.com/wireshark_filters.php

Motivation for Network Monitoring Essential for Network Management Router and Firewall policy Detecting abnormal/error in networking Access control Security Management Detecting abnormal traffic Traffic log for future forensic analysis

Tools Overview Tcpdump Tshark Wireshark Unix-based command-line tool used to intercept packets Including filtering to just the packets of interest Reads “live traffic” from interface specified using -i option … … or from a previously recorded trace file specified using -r option You create these when capturing live traffic using -w option Tshark Tcpdump-like capture program that comes w/ Wireshark Very similar behavior & flags to tcpdump Wireshark GUI for displaying tcpdump/tshark packet traces

Tcpdump example Ran tcpdump on a Unix machine First few lines of the output: 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560

What does a line convey? Timestamp This is an IP packet Source host name Source port number (22) 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Destination port number Destination host name TCP specific information Different output formats for different packet types

Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502

tcpdump [options] [filter expression] Demo 1 – Basic Run Syntax: tcpdump [options] [filter expression] Unfortunately, Eustis machine does not allow normal users to run tcpdump $ sudo tcpdump –i eth0 Sudo command allows you to run tcpdump in root previlege On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” if you have root previliege Observe the output Depending on the kind of traffic, make some general observations – sources, destinations, kinds of traffic, DNS requests etc. Too much of output.

Filters We are often not interested in all packets flowing through the network Use filters to capture only packets of interest to us

Demo 2 Capture only udp packets Capture only tcp packets tcpdump “udp” tcpdump “tcp”

Demo 2 (contd.) Capture only UDP packets with destination port 53 (DNS requests) tcpdump “udp dst port 53” Capture only UDP packets with source port 53 (DNS replies) tcpdump “udp src port 53” Capture only UDP packets with source or destination port 53 (DNS requests and replies) tcpdump “udp port 53”

Demo 2 (contd.) Capture only packets destined to longwood.eecs.ucf.edu tcpdump “dst host longwood.eecs.ucf.edu” Capture both DNS packets and TCP packets to/from longwood.eecs.ucf.edu tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53” Ping quasar.cs.berkeley.edu. Demonstrates the use of “or”

How to write filters Refer the tcpdump/tshark man page Many example webpages on the Internet

Running tcpdump Requires superuser/administrator privileges on Unix http://www.tcpdump.org/ You can do it on your own Unix machine You can install a Linux OS in Vmware on your windows machine Tcpdump for Windows WinDump: http://www.winpcap.org/windump/ Free software

So What is WireShark? Packet sniffer/protocol analyzer Open Source Network Tool Latest version of the ethereal tool

What is tShark? The command-line based packet capture tool Equivalent to Wireshark

Network Layered Structure What is the Internet? Application Web, Email, VOIP Application Transport TCP, UDP Transport Network IP Network Data Link Ethernet, cellular Data Link Physical link

Wireshark Interface

Wireshark Interface

Status Bar

Capture Options Promiscuous mode is used to Capture all traffic Sometime this does not work: driver does not support You are on a switch LAN

Capture Filter

Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3

Capture Buffer Usage

Capture Interfaces

Interface Details: Characteristics

Interface Details: Statistics

Interface Details: 802.3 (Ethernet)

Display Filters (Post-Filters) Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace Display filters use their own format and are much more powerful then capture filters

Display Filter

Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80

Display Filter

acknowledgement number Options (variable length) TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) counting by bytes of data (not segments!) ACK: ACK # valid PSH: push data now # bytes rcvr willing to accept RST, SYN, FIN: connection estab (setup, teardown commands) Internet checksum (as in UDP)

Display Filter String1, String2 (Optional settings): Sub protocol categories inside the protocol. Look for a protocol and then click on the "+" character. Example: tcp.srcport == 80 tcp.flags == 2 SYN packet Tcp.flags.syn==1 tcp.flags == 18 SYN/ACK Note of TCP Flag field:

Display Filter Expressions snmp || dns || icmp Display the SNMP or DNS or ICMP traffics. tcp.port == 25 Display packets with TCP source or destination port 25. tcp.flags Display packets having a TCP flags tcp.flags.syn == 0x02 Display packets with a TCP SYN flag. If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax

Save Filtered Packets After Using Display Filter We can also save all filtered packets in text file for further analysis Operation: FileExport packet dissections as “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”

Protocol Hierarchy

Protocol Hierarchy

Follow TCP Stream

red - stuff you sent blue - stuff you get Follow TCP Stream red - stuff you sent blue - stuff you get

Filter out/in Single TCP Stream When click “filter out this TCP stream” in previous page’s box, new filter string will contain like: http and !(tcp.stream eq 5) So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session

Expert Info

Expert Info

Conversations

Conversations

Use the “Copy” button to copy all text into clipboard Then, you can analyze this text file to get what statistics you want

Find EndPoint Statistics Menu “statistics”  “endpoint list”  “TCP” You can sort by field “Tx” : transmit “Rx” : receive

Find EndPoint Statistics Use the “Copy” button to copy all text into clipboard Then, you can analyze this text file to get what statistics you want

Flow Graphs

Flow Graphs The “displayed packet” option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze

Flow Graphs

Export HTTP

Export HTTP Objects

HTTP Analysis

HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic

HTTP Analysis – Packet Counter

HTTP Analysis – Requests

Improving WireShark Performance Don’t use capture filters Increase your read buffer size Don’t update the screen dynamically Get a faster computer Use a TAP Don’t resolve names

Post-Processing Text File For saved text-format packet files, further analysis needs coding or special tools One useful tool on Unix: Grep On Windows: PowerGrep http://www.powergrep.com/ Command-line based utility for searching plain-text data sets for lines matching a regular expression.

Basic usage of Grep Command-line text-search program in Linux Some useful usage: Grep ‘word’ filename # find lines with ‘word’ Grep –v ‘word’ filename # find lines without ‘word’ Grep ‘^word’ filename # find lines beginning with ‘word’ Grep ‘word’ filename > file2 # output lines with ‘word’ to file2 ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4 Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines Grep –i ‘word’ filename # find lines with ‘word’ regardless of case Many tutorials on grep online http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/ http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/

On-line Wireshark Trace Files Public available .pcap files: http://www.netresec.com/?page=PcapFiles http://www.tp.org/jay/nwanalysis/traces/Lab%20Trace%20Files/ Wiki Sample capture https://wiki.wireshark.org/SampleCaptures

Example Trace File and Questions Network Forensic Puzzle Contests http://forensicscontest.com/2010/02/03/puzzle-4-the-curious-mr-x SharkFest'15 Packet Challenge https://sharkfest.wireshark.org/assets/presentations15/packetchallenge.zip